Security Copilot - quickly turned on and off

Freep!k

• What is the challenge?
• Powershell Cmdlets
• Additional info

What is the challenge?

Since Ignite last year, Security Copilot has been integrated into the Entra Admin Center, where it provides powerful services through the so-called embedded experience for administrators. I would even go so far as to say that administration is being taken to a new level by AI. The analysis of events, the initial creation of scripts, there are so many possibilities with this new technology that are positively influencing the way we work.

But there are topics that we have to discuss

One challenging aspect here is the Secure Compute Units (SCUs), which determine computing power and cost $4 per hour, even when Security Copilot is not actively used. These charges apply as long as the resource is deployed in Azure, leading to monthly costs exceeding $2800. This is very expensive and can be especially challenging in test environments with a limited free MSDN Azure budget.

Why is there no option to pause or disable the SCU, stopping the charges until it’s used again later? Being able to temporarily disable it would be ideal, so you only pay for the service when it’s actively in use, not all the time. Cool idea from the consumer perspective, isn’t it?

However, for testing or experimenting with this powerful technology, you can delete and recreate the capacity as needed. While queries and other temporary data are lost, analyzed information such as sign-in and audit logs remain intact and are always accessible within the AI, allowing you to resume work immediately after provisioning the capacity again. This is also Microsoft recommendation

And there are two options to temporarily provision the Copilot resources: either through the Azure Portal GUI or via PowerShell. The GUI-based approach is well-documented and generally intuitive to follow. Security Copilot - get started

Powershell Cmdlets

I’d like to walk through how to achieve the same result using PowerShell, which is a much more convenient way to activate and deactivate Copilot.

Simply create a desktop shortcut to the Cmdlets described here, or expand this approach into a time-based automation workflow that you can trigger as needed to provision or deprovision the SCU. You could even automate the deletion of the SCU after a few hours, in case you forget to remove it manually.

How you structure the surrounding logic is entirely up to you; the Cmdlets presented here remain the same.

If you’d prefer ready-to-use .ps1 files, check out my PowerShell repository. You’ll find two scripts: one to create the full SCU setup including assignments, and another tiny one, a one-liner that deletes everything and immediately stops further costs.

If the AZ module is not yet installed, it must be installed beforehand.

Install-Module -Name Az -Scope CurrentUser

When signing in to Azure, we’ll specify the subscription ID directly.

Connect-AzAccount -Tenant 'YOUR TENANT ID' -SubscriptionId 'YOUR SUBSCRIPTION ID'

Next, we create a new Ressource group

New-AzResourceGroup -Name "SecurityCopilotRG" -Location "WestEurope"

The next step is only initially required

Register-AzResourceProvider -ProviderNamespace "Microsoft.Security"

Then create the SCU in the former created Resource Group

New-AzResource -ResourceName "SecurityCopilotSKU" `
    -ResourceType "Microsoft.SecurityCopilot/capacities" `
    -ResourceGroupName "SecurityCopilotRG" `
    -Location "westeurope" `
    -ApiVersion "2023-12-01-preview" `
    -Properties @{numberOfUnits=2; crossGeoCompute="NotAllowed"; geo="EU"}`
    -force

After creating the SCU, check the resource in the Azure Portal – it should look like this:

Figure 4: Successfully created SCU in the Azure Portal

Deleting the resource group is sufficient to clean up all related resources. All associated objects are automatically removed when the resource group is deleted.

Remove-AzResourceGroup -Name "SecurityCopilotRG" -force

Additional info

Pay attention to the units. In my example, I use 2 and here the more the better and faster, but also the more expensive. After Security Copilot is created, the clock starts ticking and the costs start running. The first time you have to connect the SKU to your tenant in the Security Copilot Center, but you are ready to use right away. You can now try things out and experiment with the Embedded Experience in the Entra Admin Center But don’t forget to delete the SCU again, as it has happened to me several times. And by the way, budget alerting on a subscription is always worthwhile, but especially when dealing with Security Copilot

Share this:

linkedin email

2025

• Lifecycle Workflows and Custom Extensions - step-by-step-guide 02 Feb
• Security Copilot - quickly turned on and off 16 Jan

2024

• My Top 2 Identity features from Ignite 2024 26 Nov
• Zero Trust in Azure Identity - Part 5: Simple Monitoring Break Glass Accounts 25 Nov
• Group Writeback in Entra Cloud Sync 01 May

2023

• Setup Azure automation to find unused user and computer accounts (step-by-step guide) 22 Aug
• The dilemma with unused objects in Azure AD 22 Mar
• Check your Azure AD for expiring App Secrets 07 Jan

2022

• Want to switch off ADFS? Looking for some content? 09 Jan

2021

• How to change language in M365 Portal for a synchronized identity 03 Jul
• Zero Trust in Azure Identity - Part 4: Access Reviews 19 Jan
• Zero Trust in Azure Identity - Part 3: Conditional Access 18 Jan
• Zero Trust in Azure Identity - Part 2: MFA! Is there a right way? 16 Jan
• Zero Trust in Azure Identity - Part 1: Tenant Security 16 Jan
• Zero Trust in Azure Identity: Overview of the Journey 12 Jan

2020

• More Infos on Azure AD Cloud Provisioning and news from Ignite 2020 24 Sep
• First experience with Azure AD Connect Cloud Provisioning 21 Mar